Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2020-8835

Disclosure Date: March 30, 2020
CVE-2020-8835 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Defense Evasion
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated

Description

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Gives privileged accessVulnerable in default configuration
Technical Analysis

This vulnerability occurs due to a flaw in calculating safe bounds while performing arithmetic involving a pointer and a scalar when the scalar’s actual value is not known. The verifier calculates a minimum and maximum value (for both signed and unsigned numbers) that can be safely added / subtracted to / from the pointer to ensure that out-of-bounds memory is not accessed. Additionally, the verifier uses the var_off bound to represent what it knows about the current state of the register that the bound is for. The __reg_bound_offset32() function was added in order to update bounds specifically when 32-bit conditionals are performed; however, the technique used to calculate and update bounds can result in bounds that are less than the actual value of the register, meaning that the verifier can be tricked into allowing out-of-bounds reads and writes after all.

I’m not well-versed in exploiting out-of-bounds writes on Linux, but based off of the blog post , triggering the vulnerability seems fairly straightforward at least. The vulnerability didn’t make it to many mainline distro releases, so I reduced the exploitability rating a bit. In the rare chance that you are running a kernel version vulnerable to this, definitely prioritize this and patch your system.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux kernel 5.6.1
Linux kernel 5.5.14
Linux kernel 5.4.7
Linux kernel 5.4.29
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • canonical,
  • fedoraproject,
  • linux,
  • netapp

Products

  • 8300 firmware -,
  • 8700 firmware -,
  • a220 firmware -,
  • a320 firmware -,
  • a400 firmware -,
  • a700s firmware -,
  • a800 firmware -,
  • c190 firmware -,
  • cloud backup -,
  • fas2720 firmware -,
  • fas2750 firmware -,
  • fedora 30,
  • fedora 31,
  • fedora 32,
  • h300e firmware -,
  • h300s firmware -,
  • h410s firmware -,
  • h500e firmware -,
  • h500s firmware -,
  • h610c firmware -,
  • h610s firmware -,
  • h615c firmware -,
  • h700e firmware -,
  • h700s firmware -,
  • hci management node -,
  • linux kernel,
  • solidfire -,
  • steelstore cloud integrated storage -,
  • ubuntu linux 18.04,
  • ubuntu linux 19.10

References

Canonical
CVE-2020-8835 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835)
Advisory
USN-4313-1 (https://usn.ubuntu.com/4313-1)
FEDORA-2020-4ef0bcc89c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD)
FEDORA-2020-666f3b1ac3 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG)
FEDORA-2020-73c00eda1c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD)
https://security.netapp.com/advisory/ntap-20200430-0004
USN-4313-1 (https://usn.ubuntu.com/4313-1/)
FEDORA-2020-4ef0bcc89c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/)
FEDORA-2020-666f3b1ac3 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/)
FEDORA-2020-73c00eda1c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/)
https://security.netapp.com/advisory/ntap-20200430-0004/
[oss-security] 20210720 CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer (http://www.openwall.com/lists/oss-security/2021/07/20/1)
Miscellaneous
https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results
https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T
https://www.openwall.com/lists/oss-security/2020/03/30/3
https://usn.ubuntu.com/usn/usn-4313-1
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis